Terminology
Domain: Logical security boundary to group users and computers.
Schema class: defines the types of objects in Active Directory.
Schema attributes: Which of the following defines the types of information stored in an Active Directory object.
Domain Controller(DC): A computer running windows server with active directory domain services role installed. Each DC can service only one domain. Each DC contains a full replica of the objects that make up the domain, and is responsible for the functions:
- Storing a copy of domain data and replicating changes to that data to all other domain controllers throughout the domain.
- Providing data search and retrieval functions for users attempting to locate objects in the directory.
- Providing authentication and authorization services for users who log on the domain and attempt to access network resource.
Directory partition:
Each section of AD database is referred to as a directory partition.
- Schema Partition:Only one schema partition exists per forest. The schema partition is stored on all domain controllers in a forest. It contains definitions of all objects and attributes that can be created in the directory, and the rules for creating and manipulating them. Schema information is replicated to all domain controllers in the attribute definitions. You can view the contents of the Schema container in the Active Directory Schema console.
- Domain Partition:There is one domain directory partition for each domain, many domain partitions can exist per forest. Domain partitions are stored on each domain controller in a given domain. A domain partition contains information about users, groups, computers, and organizational units. The domain partition is replicated to all domain controllers of that domain. All objects in every domain partition in a forest are stored in the global catalog with only a subset of their attribute values. Change s to the domain directory partition can occur on any DC in the domain except RODCs.
Contains a < domain > container (for example, the Frankfu.com container), which stores users, computers, groups, and other objects for a specific Windows 2000 domain (for example, the Frankfu.com domain). Updates to the < domain > container are replicated to only domain controllers within the domain and to Global Catalog servers if the update is made to an attribute that is marked for replication to the Global Catalog. The < domain > container is displayed in the Active Directory Users and Computers console. The hierarchy of domain directory partitions can be viewed in the Active Directory Domains and Trusts console, where trust relationships between domains can be managed. - Global catalog partition: This partition holds the global catalog, which is a partial replica of all objects in the forest. It stores the most commonly accessed object attributes to facilitate object searches and user logons across domains. The GC is built automatically by domain replication of object attributes flagged for inclusion. Admins can not make change to this partition.
- Configuration Partition: There is only one configuration partition per forest. Second on all domain controllers in a forest, the configuration partition contains information about the forest-wide active directory structure including what domains and sites exist, which domain controllers exist in each forest, and which services are available. Configuration information is replicated to all domain controllers in a forest. Application can also store configuration information in this partition. You can view the contents of the Configuration container by using ADSI Edit.
- Application Partition: Application partitions store information about applications in AD that benefits from automatic AD replication and security. Each application determines how it stores, categorizes, and uses application specific information. To prevent unnecessary replication to specific application partitions, users can designate which domain controllers in a forest host specific application partitions. Unlike a domain partition, an application partition cannot store security principal objects, such as user accounts. In addition, the data in an application partition is not stored in the global catalog. Application directory partitions are usually created by the applications that will use them to store and replicate data. For testing and troubleshooting purposes, members of the Enterprise Admins group can manually create or manage application directory partitions using the Ntdsutil command-line tool.
As an example of application partition, if a Domain Name System (DNS) that is integrated with Active Directory is used, there are two application partitions for DNS zones – ForestDNSZones and DomainDNSZones:
- ForestDNSZones is part of a forest. All domain controllers and DNS servers in a forest receive a replica of this partition. A forest-wide application partition stores the forest zone data.
- DomainDNSZones are unique for each domain. All domain controllers that are DNS servers in that domain receive a replica of this partition. The application partitions store the domain DNS zone in the DomainDNSZones<domain name>.
Each domain has a DomainDNSZones partition, but there is only one ForestDNSZones partition. No DNS data is replicated to the global catalog server.
More about application partition: https://technet.microsoft.com/en-au/library/cc784421(v=ws.10).aspx
More about Active directory Partition: https://technet.microsoft.com/en-us/library/cc961591.aspx
Active directory’s physical structure
It consists of sites and servers configured as domain controllers.
- Site: Physical location. One or more IP subnets connected by high-speed LAN.
Reasons for establishing multiple sites:
→ Authentication Efficiency
→ Replication Efficiency
→ Application Efficiency: Exchange Server and Distributed File system.
- Servers: DCs.
Active directory’s logical structure
4 organizing components of Active Directory:
- Organizational Units (OUs): A directory container used to organize a network’s users and resources into logical administrative units.
OUs can be nested as many levels as necessary. It represent Policy boundary, organizational tool.
Owner of OU: Unlike an object’s creator becoming its owner in file system permissions, the Domain Admins Group is assigned ownership of new Active Directory objects by default. - Domains: It represents administrative, security and policy boundaries.
- Trees:
Simply a grouping of domains that share a common naming structure. It consists a parent domain and possibly one or more child domains that have the same second-level and top-level domain names as the parent domain. - Forests
A collection of one or more trees. Each tree in the forest has a different naming structure. The first domain installed in a forest is called forest root.
A forest’s main purpose is to provide a common Active Directory environment (same schema,same global catalog) , in which all domains in all trees can communicate with one another and share information yet allow independent operation and administration of each domain.
Eg. OU represents a city, a domain is the state, a tree is a country, a forest is the continent.
Forest root domain
The first domain created in windows network. Functions:
- DNS server
- Global catalog server
- Forestwide administrative accounts
- Operations masters
The function of Global Catalog(GC) server
GC contains a partial replica of all objects in the forest.
- Facilitates domain and forestwide searches, locate objects throughout the forest.
- Facilitate logon across domains: By using user principal name(UPN).
- Hold universal group membership information: When a user logs on to the network, all the user’s group memberships must be resolved to determine rights and permissions. GC servers are the only domain controllers that hold universal group membership information.
A universal group is the only type of group that can contain accounts from other domains, which is why this information must be stored in the GC.
The Global Catalog and Universal Group Membership Caching
As you’ve learned, the global catalog is a critical component for many Active Directory operations. It’s the only place where universal group membership information is maintained, and it contains a partial replica of all domain objects. Access to a global catalog server must be considered when designing sites and configuring site replication. Having a global catalog server used to be critical in sites with more than a few users because it speeded logons and forest wide searches for Active Directory objects. However, replication traffic is increased considerably in sites with global cata log servers, particularly if there are several large domains in your Active Directory forest.
Universal group membership caching, first available in Windows Server 2008, handles the potential conflict between faster logons and increased replication traffic. When this feature is enabled, the first time a user logs on to a domain in the site with no global catalog server, the user’s universal group membership information is retrieved from a global catalog server in a different site. Thereafter, the information is cached locally on every DC in the site and updated every 8 hours, so there’s no need to contact a global catalog server.
Active Directory replication: Transfer of information among domain controllers to make sure all domain controllers have consistent and up-to-date information. 15 seconds after a change is made and once per hour when no changes have.
Sysvol folder: a shared folder that stores the information from active directory that’s replicated to other domain controllers.
Store the folders in separate disks for optimal performance.
Folder Objects:
- Builtin: Mainly used to assign permissions to users who have administrative responsibilities in the domain.
- Computers: Default location for computers accounts created when a new computer or server become a domain member.
- ForeignSecurityPrincipals: initially empty but later contains user accounts from other domains added as members of the local domain’s groups.
- Users: Stores two default users(administrative and Guest) and several default groups.
You can not create new folder objects, nor can you apply group policies to folder objects. You can delegate administrative control on all but the Builtin folder.
Trust
With a trust relationship between domains in the same forest or in different forests,
- users can access resources across domains without having to log on more than once.
- A user account needs to exist in only one domain, which simplifies user management.
Trusts between domains in the same forest are created automatically, between domains in separate forests there is no automatic trust.
Do not confuse trusts with permissions, permissions are still required to access resources, even if a trust relationship exist. When there is no trust relationship between domains, no access across domains is possible.
Tasks can be delegated in OU:
- Create, delete, and manage user accounts.
- Reset user passwords and force password change at next logon.
- Read all user information.
- Create, delete, and manage groups
- Modify the membership of a group
- Manage group policy links
- Generate resultant set of Policy (Planning)
- Generate resultant set of Policy (Logging)
New in win2012:
- Create , delete, and manage inetOrgPersion accouts
- Reset inetOrgPerson passwords and force password change at next logon
- Read all inetOrgPerson information
Empty root:
An empty root structure is one in which the first domain(root domain) is designed so that it does not include any user or computer accounts. The other child domain under the root domain will contain all of the user and computer accounts. This is setup is beneficial from a security perspective in that the Enterprise and Schema admins groups are isolated from other users and administrators. With this design, a few administrators can be selected to control the Enterprise and Schema Admin groups, and all other administrators reside in the child domains, configured to be Domain Admins.
AD object permissions
Security Principals: Users, groups, computers
Object’s security descriptor:
- Discretionary access control list (DACL):
A list of security principals, with each having a set of permissions that define access to the object. Each entry in the DACL is referred to as an access control entry. - Object owner:
Usually the user account that created the object or a group or user who has been assigned ownership of the object.
The Owner can still assign permission to its object even if the owner isn’t in the object’s DACL. - System access control list ( SACL)
Defines the settings for auditing access to an object.
Standard permissions:
- Full control: user can perform all actions granted by all the standard permissions, change permissions, and take ownership of the object.
- Read: view object and their attributes and premissions.
- Write: change the object’s attributes
- Create all child objects: users can create new child objects in the parent object.
- Delete all child objects: users can delete child objects.
Ways to assign permission:
- Explicit permission: User’s account is added to the object’s DACL manually.
- A group the user belongs to is added to the object’s DACL
- The permission is inherited from a parent object’s DACL to which the user or group account has been added..
Effective Permissions:
A user has been assigned permission to an object in a combination of the above ways, the final result permission is the effective permission.
In general, explicit permission overrides inherited permission, in same level permission, deny permission overrides an allow permission.
An exception is: if the Deny permission is inherited from a parent object, and the allow permission is explicitly added to the object’s DACL, the Allow permission take precedence if there is a conflict.
User Principal Name(UPN): User can log on to computers in any domain by using the UPN, the format is username@domain . A GC is contacted to resolve the UPN.
Trusts
To say domain A trust domain B means that users in domain B can be given permission to access resources in Domain A.
Trusting Domain: Domain A.
Trusted Domain: Domain B.
In active directory design documentation, a trust relationship is drawn with an arrow point from the trusting domain to the trusted domain.
Types of trust:
1 One-way and two-way trusts
One-way: one domain trusts another, but reverse is not true.
Two-way: both domains can be given access to resources in the other domain.
2. Transitive trusts
This only applys to domain, not forest!
This is created automatically in two-way trusts. If domain A trusts domain B, B trust C, then A trusts C.
If there are multiple steps between first site and final site, there will be substantial delay. And shortcut trust is the solution.
3. Shortcut trust.
Is configured manually between domains to bypass the normal referral process. It can be configured as one-way or two-way.
4. Forest trust ( win2003 or later)
One-way or two-way transitive trust between forests that allow security principals in one forest to access resources in any domain in another forest. It is created between the forest root domain.
5. External trusts
A trust between two domains that are not in the same forest.
It is used in these circumstances:
- Creating trust between two domains in different forests
- Creating a trust with a windows 2000 or NT domain
6. Realm Trusts
A realm trust can be used to integrate users of other OSs into a windows server domain or forest. It requires the OS to be running the Kerberos v5 authentication system that Active Directory uses.
Security Considerations for Trusts
https://technet.microsoft.com/en-us/library/1f33e9a1-c3c5-431c-a5cc-c3c2bd579ff1#w2k3tr_trust_security_vpbp
Replication:
Intrasite replication: replication between domain controllers in the same site. Occurs 15 seconds after a change is made on a domain controller, with a 3 second delay between each replication partner.
Intersite replication: between DCs in different sites.
KCC ( knowledge consistency checker):
runs on every DC to determine the replication topology, which define the domain controller path that Active directory changes flow through.
KCC is designed to ensure no more than 3 hops between any two domain controllers.
When the KCC detects that replication must occur between sites, one domain controller in each site is designated as the Inter-Site Topology Generator ( ISTG). The ISTG then designates a bridgehead server to handle replication for each directory partition. The administrator can assign the bridgehead server to a specific domain controller.
For more: http://frankfu.click/microsoft/windows-2012/configuring-and-maintaining-ad-infrastructure-2/
Powershell
- Create new OU: New-ADOrganizationalUnit unit_name -path “…dc=2nd_domain,dc=top_domain”
E.g. New-ADOrganizationalUnit TestOU3 -Path “dc=411Dom1,dc=local” - Create user account: New-ADUser “full_name” -SamAccountName “logon_name” -Path “...dc=2nd_domain,dc=top_domain” -PasswordNeverExpires $True
e.g. New-ADUser “Test User6” -SamAccountName “testuser6” -Path “ou=TestOU3,dc=411Dom1,dc=local” -PasswordNeverExpires $True
- SamAccountName: Specifies the Security Account Manager (SAM) account name of the user, group, computer, or service account. The maximum length of the description is 256 characters. To be compatible with older operating systems, create a SAM account name that is 20 characters or less. This parameter sets the SAMAccountName for an account object. The LDAP display name (ldapDisplayName) for this property is “sAMAccountName”.
- create group: New-ADGroup Group_name –Path “..dc=2nd_domain,dc=top_domain” -GroupScope group_type
e.g.New-ADGroup PSO-Group –Path “ou=TestOU1,dc=411Dom1,dc=local” -GroupScope Global
Related page: